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Who  We  Are 


http://www.sei.cmu.edu 


Carnegie 

Mellon 

University 


•  Client  Technical  Solutions 

•  Software  Engineering  Measurement 
and  Analysis 

•  Architecture  Practices 

•  Product  Line  Practice 

•  Team  Software  Process 

•  Advanced  Mobile  Systems 

•  Cyber-Physical  and  Ultra-Large- 
Scale  (ULS)  Systems 


Software  Engineering  Institute 


•  Heterogeneous  High-Performance 
Cloud  Computing 

•  Cyber  Intelligence 

•  Adaptive  and  Autonomous  Systems 

•  Analytics/Applied  Machine  Learning 

•  Prototype  Application  Development 

•  Data  Architectures 

•  Human-Information  Interaction 
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Me  -  Not  Me 

•  Not  Me 

•  http://en.wikipedia.org/wiki/Dennis  Allen  (American  football) 

•  http://en.wikipedia.org/wiki/Dennis  Allen  (criminal) 

•  www.dennisallen.com 

Me 

•  www.linkedin.eom/pub/dennis-allen-cissp/4/972/a70 

•  How  to  become  a  Cyber  Warrior  podcast 
http://www.cert.org/podcasts/podcast  episode.cfm?episodeid=34730 

•  Digital  Investigation  Workforce  Development 
http://resources.sei.cmu.edu/librarv/asset-view.cfm?assetid=52445 
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Overview 


•  What  is  a  Common  Operating  Picture  (COP) 

•  COP  Challenges 

•  Nagios  and  Google  Earth  (with  a  live  demo) 

•  Lessons  Learned 
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What  is  a  COP? 


“A  common  operational  picture  (COP)  is  a  single 
identical  display  of  relevant  (operational)  information 
(e.g.  position  of  own  troops  and  enemy  troops, 
position  and  status  of  important  infrastructure  such  as 
bridges,  roads,  etc.)  shared  by  more  than  one 
Command.  A  COP  facilitates  collaborative  planning 
and  assists  all  echelons  to  achieve  situational 
awareness.  ” 


Source:  http://en.  Wikipedia. org/wiki/Common_operational_picture 
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Why  me 
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Why  Global  Situational  Awareness? 

•  Coordinate  cyber  events 

•  Incident  Response 

•  Scope/Impact 

•  Optimization 

•  Continuity  of  Operations 

•  Proactive  monitoring 

•  Anomaly  detection 

•  Intel  tipper 
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What  data  do  we  have? 


•  Availability 

•  Servers  &  Services 

.  IDS/IPS  Alerts 

•  Network  and/or  Host 

•  Network  Monitoring 

•  MRTG,  NTOP,  Flow 

•  Tickets 

•  Other  Logs 

•  Security  Events 

•  System  Events 

•  Performance  data 

Software  Engineering  Institute  CarnegieMellnfi 
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What  data  is  important? 

•  Confidentiality 

•  Data  Loss  Prevention  (DLP) 

•  Integrity 

•  File  Integrity  Monitoring  (e.g.  Tripwire) 

•  Maybe  performance  monitoring  (e.g.  SNMP,  MRTG) 

•  Availability 

•  Easier  to  monitor  (e.g.  Nagios) 

•  Authentication/Authorization 

•  Important,  but  often  overlooked 

•  Log  management  (e.g.  Splunk) 

Anything  Non-Cyber? 
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What  is  actionable? 


•  Initial  Obstacles 

•  False  Positives 

•  Information  Overload 

•  Information  Relevance 

•  Cyber  Response  Actions . . . 

•  Block  IP 

•  Attack  back? 


•  Non-Cyber  Response  Actions 

•  Notify  Law  Enforcement 

•  Initiate  internal  procedures  (e.g.  employee  termination) 
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Why  Nagios®? 
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Why  Google  Earth? 

•  Nagios  wasn’t  quite  enough 

•  Wanted  a  better  form  of  Geolocation 

•  No  need  to  develop  something  new 

•  Numerous  features 

•  Can  also  be  use  in  a  closed  environment 

•  It’s  cool,  and  people  like  cool 


Iq^^j  _  Software  Engineering  Institute  GarnegieMelkm 


©  2015  Carnegie  Mellon  University 


Google  Earth  Demo 


Coogle  Earth 


Search 


is  History 


Source  IP: 

City: 

Country: 

Longitude; 

Latitude: 


173.194.73.104  MTQP 


Mountain  View 
US 

-122.057403564 

37.4192006972 


Destination  [P: 


126.2.243.254  MTQP 


Pittsburgh 

US 


Google  Earth  -  Edit  Metwork  Li  nk 


Name 


IDS  Alerts 


Browse, 


Link:  http:// 10.0.1.13/cop/ km  l/srcorctest. kmf 


0  Allow  this  folder  to  be  expanded 

Show  contents  as  options  (radio  button  selection) 


View  Refresh  - 


Descri  ption 


CEBCO 


X  1 

attempted-recon 

Signature: 

ICMP  test 

ID: 

CID:  13.  SID:  1 

TFme: 

2012-06-20  17:39:24 
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How  did  we  get  there? 

•  Incorporated  multiple  data  sources 

•  Snort  (Snorby  on  Security  Onion) 

•  Nagios 

•  SharePoint  RSS 

•  Flow 

•  Others 

•  Leverage  standard  data  formats 

•  Keyhole  Markup  Language  (KML) 

•  Custom  code 

•  Linux  Bash  and  Python  scripts 

•  KMLGEN  python  toolset 


MySQL 
MK  LiveStatus 
CSV 

MongoDB 

Other 


Data  Query 


CSV 


Kmlgen.py 
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Lessons  learned 


People  like  sizzle 

•  A  COP  is  different  things  to  different  people 

•  High  Level  -  Senior  Leader 

•  Medium  Level  -  Correlation  and  initial  filtering 

•  Low  Level  -  Detailed  Analysis  capability 

•  Someone  needs  to  “Own”  the  COP 

•  Need  to  continuously  validate  feed  Integrity 

•  Need  to  assess  value  and  customize 

•  Need  to  ensure  timely  updates  (e.g.  maps,  diagrams,  TTP) 

•  Easier  when  you  control  all  of  the  data 

•  Value  of  “Intelligence”  may  be  higher  than  cyber  monitoring  data 

•  Google  Earth,  maps,  and  similar  tools  are  useful  for  Geo-coordination 
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Other  Geolocation  samples 


CertCC  Blog,  GeolP  in  your  SOC 

•  http://www.cert.org/bloqs/certcc/2013/04/qeoip  in  your  soc  security  ope.html 

GE  Examples  from  Texas  A&M 

•  http://ticc.tamu.edu/Home/GECop.htm 

•  http://tfsfrp.tamu.edu/Earth/Lavers/TexasCOP.kmz 

•  KML  Tutorial 

•  https://developers.qooqle.com/kml/documentation/kml  tut 

Sample  Geolocated  Intelligence  feed 

•  https://cts.allenvanquard.com 

•  Twitter  Geolocation 

•  http://trendsmap.com 

Geographical  representation  of  intrusion  events 

•  http://leonward.wordpress.com/2009/Q3/15/qeoqraphic-representation-of-intrusion- 

events/ 

More  Nagios 

•  http://exchanqe.naqios.org/directorv/Addons/Maps-and-Diaqrams/naqmap/details 
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Questions? 
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